Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!iuvax!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: drew@dave.nrl.navy.mil (Greg Drew) Newsgroups: comp.virus Subject: Re: Anti-virus viruses Message-ID: <0009.9008171919.AA16211@ubu.cert.sei.cmu.edu> Date: 17 Aug 90 14:58:32 GMT Sender: Virus Discussion List Lines: 27 Approved: krvw@sei.cmu.edu In issue 143, Scott Erickson stated that "I don't see any additional danger the average user is put into with the innovation of antiviruses...." I would agree that some of his points have merit, but I would like to give one example of how a phony antivirus could pose a greater danger than a "standard" virus. Many people using Macintoshes now employ some sort of resident virus blocker such as Vaccine or Disinfectant. These types of utilities are designed to identify known viruses and to BLOCK SUSPICIOUS ACTIVITY. Many of these have an option to allow this kind of activity to certain programs (compilers, etc). If a virus writer wanted an easy way to get around these programs, all he or she would need to do is to have the virus identify itself as an antivirus, and then ask the user to set his or her virus protection to allow the virus in. After a few days, weeks, or months, the seemingly helpful antivirus would then reveal its true colors. It is certainly easier for a virus writer to put in some message like the one above (perhaps one which only reveals itself if the virus detects something like Disinfectant) than for the person to design a virus to get around the protection. - GDD ------------------------------------------------------------------- Greg Drew | drew@dave.nrl.navy.mil | (202) 767 - 6886 ------------------------------------------------------------------- My opinions in no way reflect those of the Naval Research Lab, the U.S. Navy, or any other organization.